Please don't forget to add the referenced RFCs in section 1.6.3.

My recent commits added a reference to the appropriate RFCs in Sec 1.6.3

I also did a full review of RFC 6840. Several Forum members advised either moving the RFC 6840 reference to a SHOULD or bringing in specific sections. Upon reviewing the RFC I feel the only sections that need to be referenced in the Baseline Requirements are Sections 2 and Sections 4 and it would be best to keep them as a MUST statement.

Section 2 defines the critical additional algorithms NSEC3 and SHA-2. To quote RFC 6840:

Validators that do not support
validation of responses using NSEC3 will be hampered in validating
large portions of the DNS space.

I personally feel SHA-2 is in a similar boat given it has become a very popular digest algorithm and not supporting it significantly hampers the effectiveness of DNSSEC validation.

RFC 6840 Section 4 describes several security concerns. Some of these are merely clarifications of previous RFC text. As RFC 6840 states:

This section provides clarifications that, if overlooked, could lead
to security issues.

I similarly think these are important to include as a MUST statement.

The other text in the RFC discusses other concerns like interoperability and are not critical to the secure operations of DNSSEC.

If someone is aware of a modern DNS resolver that does not comply with sections 2 and 4 of RFC6840 please let me know. This RFC is now 12 years old and largely presents clarifications on the proper way to operate DNSSEC. I has been included in every RFC compliance list I have found.

Hi all,

I had gotten feedback from @CBonnell that RFC 4035 Section 4 contained several out of date SHOULD statements and required "security-aware" DNS resolvers to do more than what was strictly needed for DNSSEC validation at CAs. @dzacharo also noted that putting in additional SHOULD statements to update those requirements meant specifying several operational angles of DNS that could be left out of this ballot.

To remedy this situation, in the 4/17/2025 validation subcommittee teleconference @CBonnell proposed looking for a more narrow definition to pull in that would only mandate DNSSEC without any of the operational considerations.

Along these lines, I noticed that the "security-aware" DNS resolver definition in RFC 4035 Section 4 made many statements about the operational behavior of a security-aware DNS resolver (e.g., what types of caches it should maintain, how it should handle the DO and AD bits, etc.) which are not strictly relevant from the perspective a BR change mandating DNSSEC validation. However, Section 5 of RFC 4035 specifically describes the DNSSEC validation algorithm without specifying any of the other properties of a security-aware DNS resolver. Furthermore, the only RFC that updates RFC 4035 Section 5 is RFC 6840 Section 4, which is already being referenced in this ballot. There are 4 other RFCs that update statements made in Section 4 of RFC 4035 (including RFC 8198 section 7 brought up by @CBonnell) which would arguably each need an additional statement in the ballot text to address the ways in which RFC 4035 Section 4 text was inaccurate or out of date.

To this end, I changed the text to simply require implementation of the algorithm in RFC 4035 Section 5. This removed the need for the statement about validating the different security states and removed the SHOULD statement about the EDNS buffer size. Both of these statements were related to text in RFC 4035 Section 4.

I like that this is a more minimal specification and produces fewer lines of text.

@CBonnell and @dzacharo, please let me know your thoughts on this change.

Hi all,

I wonder what this ballot is supposed to require CAs to do in the following situations:

• If a TLD has misconfigured DNSSEC (e.g., the .CN domain's DNSSEC);
• If a domain’s DNS server rejects DNSSEC typed queries, yet the domain itself is DNSSEC unsigned.

@xiaohuilam

First and foremost I want to clarify that from the purposes of this ballot (and I would argue for DNSSEC in general), ".cn" is not misconfigured. The notices presented by dnsviz.net on this TLD are intended for DNS zone operators to improve their DNSSEC configuration. ".cn" does not lead to a lookup error on any DNSSEC validating resolver. In fact, the inclusion of RFC5155 in this ballot text ensures that CAs will resolve this zone correctly with a NOERROR response code. The proper configuration of .cn can be confirmed with the following command:

./unbound-host -v -D -t A cn
cn has no address (secure)

Notice the unbound host tool properly accepted the non-existence proof showing the domain has no IPv4 A address and marked the domain as “secure” (i.e., having a valid DNSSEC signature chain).

DNSSEC and non-DNSSEC domains under “.cn” also show NOERROR response codes and valid signatures. For example:

./unbound-host -v -D -t A sjtu.edu.cn
sjtu.edu.cn has address 202.120.2.119 (secure)

sjtu.edu.cn is DNSSEC signed under .cn and resolves fine.

At the end of this response, I have a more detailed discussion of the DNSSEC configuration on .cn, but it will not cause a lookup error on proper resolver implementations.

Regarding these specific points:

• If a TLD truly has a bogus DNSSEC configuration: This will cause a lookup error for domains under this TLD as the DNSSEC signature chain cannot be established. As I discussed earlier, .cn is not an example of this situation, and I know of no such contemporary instances of DNSSEC resolution errors at the TLD level. This ballot is also written in a way to allow resolvers to return NOERROR wherever possible without degrading security (e.g., BCPs and updates to DNSSEC mandating more specific behaviors have been omitted).

• If a domain’s DNS authoritative server rejects DNSSEC queries, and the domain itself is DNSSEC unsigned: This case is perfectly fine and will lead to normal certificate issuance with no lookup errors. A domain’s DNSSSEC state is established by the parent zone via the inclusion of a DS record at that domain name. Presuming the parent zone is a properly DNSSEC-configured TLD (or even just a non-DNSSEC TLD), the recursive resolver will know not to expect any DNSSEC data at the domain because there is no DS record. Conventional non-DNSSEC resolution behavior is used when talking to this domain’s servers. The authoritative servers do not need to answer any DNSSEC-related queries since they did not opt in. If a domain was configured with authoritative servers that had no knowledge of DNSSEC, that domain will still resolve fine even with DNSSEC validation because the recursive resolver knows not to expect any signature on that domain.

Regarding the .cn DNSSEC configuration:

As I stated above, this DNSSEC configuration is perfectly valid. DNSVis’s complaint with the domain (seen when the non-existence setting is turned on) is that it does not follow RFC 9276 which is Best Current Practice 236 (BCP 236). Specifically, .cn uses the hash-iterations field of its NSEC3 record (which is well defined and standardized in RFC 5155 and would be supported by this ballot). BCP 236 states that domains MUST use an iteration count of 0 (i.e., not using hash iterations). .cn uses an iteration count of 10, but this is actually pretty standard and I have even seen 10 recommended elsewhere. Ironically, increasing the hash iteration count actually provides additional security against zone enumeration attacks for the .cn zone although presents a slightly higher load to DNSSEC-validating resolvers which is why it was set to zero in BCP 236.

Importantly:

• RFC 9276 is not Standards Track. It offers configuration guidance and is not redefining how DNSSEC validation is performed.
• RFC 9276 Section 3.1 (cited by DNSVis) is providing guidance to domain owners, not DNSSEC validators. Even under RFC 9276, a compliant DNSSEC validator will still accept non-zero hash iterations.
• RFC 9276 is not cited in this ballot. This ballot is intentionally written in a minimally-prescriptive manner to avoid complications related to the publications of new BCPs and updates to the standard.

Below is a full DNSSEC-enabled query for .cn and a DNSSEC-signed domain under .cn. Both return NOERROR codes and would not cause a validation problem by CAs.

henry@MacBook-Pro-259 ~ % dig +dnssec @8.8.8.8 cn IN A

; <<>> DiG 9.10.6 <<>> +dnssec @8.8.8.8 cn IN A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34587
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;cn.            	IN	A

;; AUTHORITY SECTION:
cn.        	1800	IN	SOA	a.dns.cn. root.cnnic.cn. 2033333274 7200 3600 2419200 21600

cn.        	1800	IN	RRSIG	SOA 8 1 86400 20250524025426 20250424015426 38388 cn. p3A7pKZ8v10ImFb5ybHEzUWI8YBnZllWgXd+UMGWKcY4CCeGBNrH2L4D dgqmKCeUDwTqliQmtCa8rGzOYE893C/mzHhmA8YQ59iHEmR/nUrUfj5/ x9589ltnTN3OAMdz79WekWpg1Iq6rv+euWQMRdFas9OBwxRBCiy6srCE DM8=

3QDAQA092EE5BELP64A74EBNB8J53D7E.cn. 21600 IN NSEC3 1 1 10 AEF123AB 3QM14FQ32F1CJFTP8D3J5BCTNP5BIELO  NS SOA RRSIG DNSKEY NSEC3PARAM

3QDAQA092EE5BELP64A74EBNB8J53D7E.cn. 21600 IN RRSIG NSEC3 8 2 21600 20250517012154 20250417004141 38388 cn. dfJK2fip7I07CNCsBLpqGrVEggXoGtPtk+/ILHrR320pMdQopfWxChJn IwfPYcvZIuMevjoRDIvGq3fWE3yCj4zjF9t1or42sT7UHrIx5Y8r++gP YVgxVO4RCEUpcSkQvTT6fIOLiFoSjhPUUKtg2kIR/jBxoXITcOBlANr4 uHw=

;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 23 22:55:30 EDT 2025
;; MSG SIZE  rcvd: 492

henry@MacBook-Pro-259 ~ %

henry@MacBook-Pro-259 ~ % dig +dnssec @8.8.8.8 sjtu.edu.cn IN A

; <<>> DiG 9.10.6 <<>> +dnssec @8.8.8.8 sjtu.edu.cn IN A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50607
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;sjtu.edu.cn.        	IN	A

;; ANSWER SECTION:
sjtu.edu.cn.    	300	IN	A	202.120.2.119
sjtu.edu.cn.    	300	IN	RRSIG	A 8 3 300 20250523085516 20250423085516 9528 sjtu.edu.cn. Zsr8Aw3ursIiAE0TX8mryThHIWz7rCHhGfi+bRuAJNwZQtctK3hyTg9R aL4RGFPZrHs+T9dBGbGXawv83Vr26wY6C+FQI3Ah3t8uiQelWJ4yWefJ bwZPcN/ot6QnaBIcbQZjQNY0ObrCOPAjaYZq3W5708J5aSRJumwrM9pI Z2k=

Henry, thank you for putting together this proposal. GTS fully supports requiring DNSSEC validation for the additional security properties it provides. It has been mentioned that using an open source resolver should allow CAs to meet the requirements of this proposal. Coincidentally, GTS went through this exercise several months ago when we started the process of moving to a new DNS resolution solution using an open source resolver.

GTS has performed DNSSEC validation for several years now, so DNSSEC support was an important consideration when evaluating the available resolvers. I will share our analysis below to highlight some implementation considerations that may come up.

After eliminating resolvers which were not options for us due to license restrictions (this includes PowerDNS which uses the GNU GPLv2 license), we evaluated the following list:

Bind
Unbound
DJBDNS - Didn’t support DNSSEC out of the box
Knot - Had open DNSSEC related issues at the time of evaluation: https://gitlab.nic.cz/knot/knot-resolver/-/issues/910, this issue is now closed.
Hickory - At the time of evaluation, their site said it was not production ready.
CoreDNS - Does not function as a recursive resolver without a plugin such as libunbound.

We found Bind and Unbound to be the only feasible choices. Unbound has some level of security audit: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/ and Bind has extra functionality which we didn’t need and we didn’t want the additional attack surface. So we chose Unbound. One consideration to be aware of with this, is if a lot of CAs land on the same open source resolver, then a vulnerability or a bug in that resolver would render all of those CAs unable to operate, and possibly require mass revocations.

Hickory-DNS still carries the warning that it is not production ready: https://github.com/hickory-dns/hickory-dns/blob/main/bin/README.md?plain=1#L48

@geegeea
Thanks for sharing GTS's open source DNS analysis. I wanted to add some commentary regarding, testing an arbitrary deployment for DNSSEC support and the impact of the DNSSEC support requirement on selection of DNSSEC software.

DNSSEC Validation Testing

A purpose of this ballot is to implement DNSSEC in a way that is easy to verify and test. There are several services for testing the DNSSEC validation behavior of a resolver. One such service is Check My DNS by DNS OARC which can be run in a browser and does check for DNSSEC support (as well as other good security features of DNS resolvers).

Below I list several commands to test for specific DNSSEC features. In the below commands, replace <candidate-DNSSEC-validating-resolver> with the IP address of the DNS resolver being tested.

1. CAA Test suite's DNSSEC tests. CAA test suite (caatestsuite.com) already contains DNSSEC tests to test the DNSSEC validation behavior of DNS resolvers used to retrieve CAA records. expired.caatestsuite-dnssec.com,
   missing.caatestsuite-dnssec.com, blackhole.caatestsuite-dnssec.com, servfail.caatestsuite-dnssec.com, and refused.caatestsuite-dnssec.com should all return resolution failures that are not treated as permission to issue when queried with a DNSSEC-validating resolver. These tests can be run using dig <caa-test-suite-domain> IN CAA @<candidate-DNSSEC-validating-resolver>. A DNSSEC validating resolver will return an error response with status: SERVFAIL in the DIG response for all of these queries.

2. Simple successful queries of DNSSEC-signed domains. The CAA test suite examples include DNSSEC failure modes where a non-DNSSEC-validating resolver may return a successful query, but proper DNSSEC validation makes the result a SERVFAIL due to invalid signatures. It is also important to confirm the positive capabilities required of the DNSSEC validator. Simply querying any DNSSEC-signed domain can largely confirm this. One specific example is cloudflare.com which is DNSSEC signed. The command dig cloudflare.com IN CAA @<candidate-DNSSEC-validating-resolver> should return 1) CloudFlare's CAA records, 2) status: NOERROR for the status code and, 3) the AD flag shows by dig as flags: ... ad .... There can be other flags present in the flags list, but the ad flag should be included to indicate the resolver successfully performed validation and determined that domain was secure. The DNSSEC chain to CloudFlare's domain contains DS records with digest type 2 (thus confirming the DS-record SHA-2 support required by this ballot) and RRSIG records with algorithm type 8 from gtld-servers.net (thus confirming the algorithm 8 support required by this ballot). CloudFlare also uses algorithm type 13 which is very popular and good to be supported although not required by this ballot. Seeing the status: NOERROR and ad flag implies support for all three of these techniques.

3. Successful queries of non-existent record sets using NSEC and NSEC3. The above commands do not explicitly test handling of NSEC or NSEC3 records because in all cases either the requested records existed or there was a DNSSEC validation error. CloudFlare uses NSEC and the proper handling of this can be tested using dig xyz.cloudflare.com in CAA +dnssec @<candidate-DNSSEC-validating-resolver> (where xyz is some non-existent CloudFlare subdomain). Here the appropriate response from a DNSSEC-validating resolver is status: NOERROR, flags: ... ad ..., and ANSWER: 0 in the header section of the dig response. The DNS-validating resolver should also the relevant RRSIG and NSEC records proving non-existence, but the header checks alone ensure these records were validated successfully. To test NSEC3 behavior, dig com IN CAA @<candidate-DNSSEC-validating-resolver> will produce a negative result with NSEC3 records. For those who are interested, cn can be used in place of com to get a response with the same header, reaffirming cn's valid DNSSEC configuration (i.e., dig cn IN CAA @<candidate-DNSSEC-validating-resolver>). This response should similarly show status: NOERROR, flags: ... ad ..., and ANSWER: 0 in the header section of the dig response.

To make the above-mentioned testing process automated, you can see the script at https://github.com/birgelee/dnssec-validator-test for an example. To be clear, the best way to verify the required DNSSEC support is by documentation and confirmation with the project maintainers. These tests are not exhaustive.

Impact of the DNSSEC requirement on the available options of DNS software

Regarding the analysis presented by @geegeea , I want to mention that I do not think Knot Resolver should be excluded based on the now patched DNSSEC bug @geegeea mentioned. Knot resolver powered CloudFlare's 1.1.1.1 for a long time (https://blog.cloudflare.com/big-pineapple-intro/), is deployed by many large organizations, and offers an SLA for enterprises (https://www.knot-resolver.cz/support/pro/). Additionally, the maintainers of Knot Resolver (CZ.NIC) also provide one of the most widely used linux software routers (Bird) and have a fairly good reputation. Even reputable projects occasionally see bugs.

Unbound and Bind, mentioned by @geegeea are also good alternatives. The Open MPIC project maintains an Unbound container (https://github.com/open-mpic/open-mpic-containers/tree/main/unbound), and Bind is probably the oldest and most established DNS resolver option. As @geegeea mentioned, people sometimes prefer lighter-weight resolvers like Unbound or Knot due to bloat concerns with Bind which 1) packages its recursive resolver with its authoritative DNS implementation and 2) has an extensive feature set which may not be needed in all cases.

Hickory DNS is not production ready but will likely be the chosen option by Let's Encrypt once its development is complete (it is funded by the same parent organization ISRG). One advantage of Hickory DNS is that it is written in Rust, a memory safe language, whereas many of the other options are C or C++ codebases (primarily for efficiency).

At a higher level, I think the most relevant consideration for this ballot is: to what extent does the DNSSEC requirement limit the number of DNS resolvers available to CAs? I would personally argue that requiring DNSSEC in fact assists with good DNS resolver choice and DNS resolvers that have not implemented DNSSEC are likely poorly maintained or not intended for enterprise use. E.g., DJBDNS does not natively support DNSSEC and the project is often considered no longer maintained (although many patches exist).

While not an authoritative source, Wikipedia provides a very rough overview and lists 14 options for recursive DNS resolvers (13 if you count dbndns and djbdns as the same). Of these 13 options, only 4 lack DNSSEC support including options like djbdns (discussed earlier), Posadis (which has not had a new release since 2013) and Mara DNS (which seems to have one maintainer). Obviously, choice of DNS resolver is dependent on the needs of a CA, but I do think there are several options for DNS resolvers that support DNSSEC, and I feel DNSSEC support does not significantly limit DNS resolver options. Furthermore, many DNS resolvers specifically list RFCs they comply with ([Hickory] [Bind] [Unbound] [Power DNS], [Knot]) or make explicit statements about their support for DNSSEC (e.g., [Technitium], [MS DNS], [Secure64 Cache])). DNS resolver project maintainers can verify the required feature set for a CA. To clarify, the features mentioned in this ballot are quite standard on modern DNS resolvers.

While I do agree that there is some centralization in the DNS ecosystem particularly when constraints like licensing terms are imposed, I do not feel the DNSSEC requirement significantly reduces the available options of DNS resolvers and I think DNSSEC support is a good litmus test for whether a DNS resolver is well maintained and suitable for enterprise use.

Henry, thank you for the commentary. Is it correct to summarize from the comment that resolvers like Unbound, Bind, and Knot are all good candidates for meeting the requirements of this ballot, but to definitively say so we would need to refer to documentation or confirm with maintainers?

Regarding resolver choice, we agree with the assessment that:
The most relevant consideration for this ballot is: to what extent does the DNSSEC requirement limit the number of DNS resolvers available to CAs?
Requiring DNSSEC assists with good resolver choice

There is an assumption in the commentary that CAs all use third party resolvers (third party meaning a resolver which is developed outside of the CA’s org, not the BR term “delegated third party”). This may not be true, some CAs could have in-house developed resolvers, and depending on the enforcement timeline, this ballot could push most CAs to use third party resolvers. This may not be a significant risk for this ballot, but I want to point it out so the choice is intentional.